The Right Stuff: What it Takes to be a Security LeaderDebbie Wheeler, CISO of Fifth Third Bank, Shares Insights What Does Security Leadership Entail?
Information Security Media Group (ISMG) publishers of BankInfoSecurity.com and CUInfosecurity.com, recently posed this and other questions to Debbie Wheeler, Chief Information Security Officer for Fifth Third Bancorp. In her current role she is responsible for establishing policy, standards and governance over the implementation of Information Security controls and procedures, as well as end user education and training for the Bancorp. Here are her thoughts on security leadership.
Upasana Gupta: What makes a good CISO?
Debbie Wheeler: I believe a good CISO is one who has knowledge of the business or industry they are practicing in, and can establish collaborative working relationships with both the business and with IT. Obviously, a strong technical background in Information Security is a must.
I believe leadership, as a skill, is innate. I do not believe you can train leaders. I think you can train managers, and there's a big difference. A component of leadership is vision...being able to create and compel people to a vision. I have yet to meet a leader who was trained to do this, vs. born with the ability.
I began my career in information technology support....working on the help desk at a hospital and being dispatched to repair computer systems, or run cabling for token ring networks and configuring bridges. I then "graduated" to a network engineer position with MCI, and after several months, began focusing on security. At that time, security wasn't a field in and of itself like it is today; it was a series of tasks that were usually given to someone with system administration knowledge. It's evolved into its own field.
I've been in my present position for two and a half years now. I report on a temporary basis to the Chief Architect who reports to our CIO. There is discussion ongoing about moving our function under the Chief Enterprise Risk Officer. This change will take place later this year.
Gupta: Tell us about your role. How has it changed in your tenure?
Wheeler: My role entails creating vision and strategy for the enterprise security program at the Bank. Additionally, I oversee governance of the program and ensure measurement of the program, creation and lifecycle support for policy and standards development, and we have some operational responsibilities in terms of access and identity administration, vulnerability scanning, penetration testing and remediation tracking.
Since joining the Bank in 2005, the role has not changed dramatically. I've attempted to move more of the operational support components out of Security and into IT, so that Security is focused on assessing risk to the technology infrastructure of the bank, and responding to those risk issues with suggested remediation and testing of remediation efforts to ensure success. Additionally, I'm attempting to steer the department toward production of stronger, more meaningful metrics and reporting on the risk posture of the Bank, from a technology perspective.
The aspect of my job I most enjoy is the opportunity to interact and educate our customers and employees on Information Security. The biggest challenges in my role are educating and maintaining awareness among our executives, as to the challenges of maintaining a secure environment and the need to continuously make investments in the security program.
What keeps me awake at night is the knowledge that our customers and potential customers, who rely on the Internet to conduct business whether with us, or with other vendors, merchants, etc., are typically unaware of the dangers of doing so, and are not taking the time to properly educate themselves on how to be safe online. They inadvertently expose their information and their identities in a number of ways, and don't always want to know that a loss they've experienced is because of something they've done, that could have been avoided had they taken the time to install appropriate software, or learned a little bit about the risks and exposures of their activities.
Gupta: Where do you spend the bulk of your time in the course of a day?
Wheeler: The bulk of my time during the day is spent in meetings....meetings to evaluate new technologies or implementations that could place the bank at increased risk, meetings to discuss audit and compliance/regulatory issues and our approach to them, or meetings to discuss emerging trends and problems we need to be aware of and plan for today.
Gupta: When you leave this role, what would you like to be remembered for?
Wheeler: I would like to be remembered as a passionate, conscientious CISO with unquestionable integrity and ethics, who always kept the best interest of the customer and the Bank at heart.
Gupta: How do you build a winning team?
Wheeler: Building a winning team involves four things: hiring the right people, treating them the way you would want to be treated, and keeping them challenged in their jobs while giving them opportunities to learn and grow.
The qualities I look for when hiring staff are: 1) willingness to work as a member of a team (fit); 2) technical skills and accomplishments - what have they delivered; 3) desire to learn and stretch; 4) a can-do, solutions oriented attitude.
Security leaders need to understand the business...the drivers, the risks, the customers and audience the business caters to. Understanding these things allows you to hone in on the risk issues unique to your business and come up with unique solutions for addressing and mitigating them. A collaborative attitude and willingness to work alongside the business to address the risks, while ensuring continuity of the business objectives, is an absolute must for anyone entering the Information Security field in a leadership role.
Gupta: How does an individual bank's culture and management style influence a CISO's leadership approach towards security?
Wheeler: Every organization has its own unique culture. And each CISO needs to determine if the culture of the organization is one in which they will be able to do their best work. If the culture doesn't embrace security, and doesn't embrace collaboration, then the CISO will not be successful, regardless of their credentials.
Gupta: Who is the CISO of the future?
Wheeler: It concerns me when I read about trends in Information Security to move the CISO away from having a technology background. Part of being successful in Information Security is understanding the technology used to manage information and the risks inherent in that technology. CISOs need to maintain a background grounded in the technologies and processes used to deliver and manage information to the organization. Only then can they fully understand the risks to that information. Additionally, CISO's need to be considered valuable business partners and organization leaders in determining the technology direction of the organization in which they work.
The CISO of the future needs to possess both technical knowledge so as to understand the risks to an organization, and knowledge of the business and its customers; the ability to balance between the two.
For more insight from Debbie Wheeler, here is a link to a podcast in which she talks about risk management practices and policies for IT security and data leakage prevention - click here to view podcast